​All tech giants fail on security disclosure, but Microsoft and Google do best

A new report ranking of a dozen tech giants finds that all of them could do better at explaining how user data is secured.

The new index from Ranking Digital Rights highlights shortcomings in the way all tech firms disclose polices that describe users’ protections for privacy and freedom of expression.

The only companies to scored more than 60 percent in the index we're Google and Microsoft. Apple surprisingly ranked seventh of 12 internet and mobile companies, due mostly to scant descriptions of commitments to user rights through corporate governance. Samsung meanwhile ranked ninth.

The report, which calls Apple, Google, and Samsung as “gatekeepers for privacy and security”, notes that all three require apps to have a privacy policy if they collect user information, but none publicly commit to checking whether these privacy policies offer adequate protections for users.

And while Android device makers mostly fail to deliver security updates to users, the report notes that Google was the only company that states how long its device models are guaranteed to receive software updates. Google had the best disclosures regarding Android policies for user’s freedom of expression and privacy, according to the report.

“Apple and Samsung did not provide such information, making it difficult for users to evaluate for how long their devices will be safe to use,” the report notes.

Google also ranked highest in a comparison of how companies disclose details about government and private requests to restrict content and accounts.

The index also includes whether companies have a real name policy and whether or not firms allow users to sign up without government-issued identification, which may pose a risk to users living under an authoritarian regime. Among mobile and internet firms, Microsoft and Twitter scored 100 points, followed by Google’s 83 points, mail.ru's 67 points. Apple, Facebook and Kakao each scored 50 points, while Yahoo scored 33. Companies lost points, for example, for requiring a phone number when creating an account.

All tech firms fell short on how they disclose information about how users can control information collected about them, though Microsoft and Twitter had the most detailed descriptions.

Google topped the field in a comparison of security policies and what is disclosed within them. The report compares how each firm educates users about potential security threats, information about what users can to ensure their accounts are secure, how companies go about overseeing user security, encryption, how security vulnerabilities are addressed, and data breaches.

“Companies communicate less about what they are doing to protect users’ security than they do about what users should do to protect themselves,” the report notes.

Google’s high score here was due to its clearer disclosures about its encryption policies followed by Apple, despite the Cupertino companies public battle with the US government over encryption.

One criticism of Google though was it doesn’t offer end-to-end encryption for Gmail, while Apple was criticized for not saying whether iMessage chats are encrypted with unique keys.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.